ciso mind map - computerminds.net · ciso mind map version 1.0 and security operations center (soc)...
TRANSCRIPT
s a n s . o r g / c u r r i c u l a / m a n a g e m e n tMGT-PSTR-CISO/SOC-0217-v2
Security Leadership
P O S T E R
v. 1.0
CISO Mind MapVersion 1.0
AND
Security Operations Center (SOC) Essential Functions
For Cyber Leaders of Today and Tomorrow
C U R R I C U L U MGet the right training to build and lead a world-class security team.
F O U N D A T I O N A L
MGT512SANS Security Leadership Essentials for Managers with Knowledge Compression™
GSLC
MGT525IT Project Management, Effective
Communication, and PMP® Exam Prep GCPM
MGT414SANS Training Program for
CISSP® Certification GISP
SEC566Implementing and Auditing the Critical
Security Controls – In-Depth GCCC
C O R E
LEG523Law of Data Security and Investigations
GLEG
MGT514IT Security Strategic Planning, Policy,
and Leadership
MGT415A Practical Introduction to
Cybersecurity Risk Management
MGT517Managing Security Operations:
Detection, Response, and Intelligence
S P E C I A L I Z A T I O N
MGT433Securing the Human:
How to Build, Maintain, and Measure a High-Impact Awareness Program
MGT305Technical Communication and Presentation Skills for Security
Professionals
AUD507Auditing & Monitoring Networks,
Perimeters, and Systems GSNA
Business Enablement
Product Security • Secure DevOps • Secure Development Lifecycle • Bug Bounties • Web, Mobile, Cloud AppSec Cloud Computing
• Cloud Security Architecture • Cloud Guidelines Mobile
• Bring Your Own Device (BYOD) • Mobile Policy Emerging Technologies
• Internet of Things (IoT) • Augmented Reality (AR) • Virtual Reality (VR) Mergers and Acquisitions
• Security Due Diligence
Risk Management Frameworks
Risk Assessment Methodology
Business Impact Analysis
Risk Assessment Process
Risk Analysis and Quantification
Security Awareness
Vulnerability Management
Vendor Risk Management
Physical Security
Disaster Recovery (DR)
Business Continuity Planning
Policies and Procedures
Risk Treatment • Mitigation Planning, Verification • Remediation, Cyber Insurance
Risk Management
Identity and Access Management
Provisioning/Deprovisioning Single Sign On (SSO) Federated Single Sign On (FSSO) Multi-Factor Authentication Role-Based Access Control (RBAC) Identity Store (LDAP, ActiveDirectory)
Security Operations
Prevention • Data Protection - Encryption, PKI, TLS - Data Loss Prevention (DLP) - Email Security • Network Security - Firewall, IDS/IPS, Proxy Filtering - VPN, Security Gateway - DDoS Protection • Application Security - Threat Modeling - Design Review - Secure Coding - Static Analysis - Web App Scanning - WAF, RASP • Endpoint Security - Antivirus, Anti-malware - HIDS/HIPS, FIM - App Whitelisting • Secure Configurations • Active Defense • Patching
Detection • Log Management/SIEM • Continuous Monitoring • Network Security Monitoring • NetFlow Analysis • Advanced Analytics • Threat Hunting • Penetration Testing • Red Team • Vulnerability Scanning • Human Sensor • Data Loss Prevention (DLP) • Security Operations Center (SOC) • Threat Intelligence • Threat Information Sharing • Industry Partnerships
Response • Incident Handling Plan • Breach Preparation • Tabletop Exercises • Forensic Analysis • Crisis Management • Breach Communications
Legal and Regulatory
Compliance • PCI • SOX • HIPAA • FFIEC, CAT • FERPA • NERC CIP • NIST SP 800-37
and 800-53
Privacy • Privacy Shield • EU GDPR
Audit • SSAE 16 • SOC 2 • ISO 27001 • FISMA and FedRAMP • NIST SP 800-53A • COSO
Investigations • eDiscovery • Forensics
Intellectual Property Protection
Contract Review
Customer Requirements
Lawsuit Risk
Leadership Skills
Business Strategy Industry Knowledge Business Acumen Communication Skills Presentation Skills Strategic Planning Technical Leadership Security Consulting
Stakeholder Management Negotiations Mission and Vision Values and Culture Roadmap Development Business Case Development Project Management Employee Development
Financial Planning Budgeting Innovation Marketing Leading Change Customer Relationships Team Building Mentoring
Based on CISO MindMap by Rafeeq Rehman @rafeeq_rehman http://rafeeqrehman.com Used with permission.
C I S O M I N D M A P
Strategy Business Alignment Risk Management Program Framework
• NIST CSF • ISO 27000 Control Frameworks
• NIST 800-53 • Critical Security
Controls (CSC) Program Structure Program Management Communications Plan
Roles and Responsibilities Workforce Planning Resource Management Data Classification Security Policy Creating a Security Culture Security Training
• Awareness Training • Role-Based Training Metrics and Reporting IT Portfolio Management Change Management Board Communications
Governance
NEW!
L E A D E RC Y B E R
S E C U R I T Y O P E R A T I O N S C E N T E R
Security Operations Center (SOC) Essential Functions
Internal Systems
Host ForensicsMEMORY AND DISK ACQUISITION
Network ForensicsLOG, EVENT INFO, AND PCAP ACQUISITION
Reverse Engineering
DEVICE, SOFTWARE, OR CODE ACQUISITION
Network and Related ArtifactsLOG SERVER NETWORK FULL PCAP
PROVIDE INFO RELATED TO CASE
• ANALYZE ASSET• MAINTAIN CHAIN OF CUSTODY• ENSURE ASSET INTEGRITY
HIGH-VALUE INDICATORS • LONG-TERM ANALYSIS• DATA MINING• STUDY OF INTERACTION
CORRELATE ALERTS AND LOG ENTRIES TO RAW DATA
HISTORICAL ASSESSMENT WITH NEW IOCs
Honeypots Full PCAP
NETWORK IDS
HOST IDS
WIRELESS IDSNETWORK LOGS HOST LOGS
APPLICATION LOGSMALWARE
DETONATION
Internal Information Sources
Open-Source Resources Attribution InfoINTERNAL THREAT ACTOR
ATTRIBUTION AND CHARACTERISTICS
COLLECT OPEN-SOURCE INFO
COLLECT INTERNAL ADVERSARY INFO
CORRELATE EVENTS TO THREAT ACTORS
RETAIN ADVERSARY CHARACTERISTICS
Network Security
MonitoringThreat
IntelligenceIncident
Response
• STATUS REPORTS• NEWS RELEASES• RECORDINGS• OUTREACH AWARENESS
• PROBLEM REPORTS • THIRD-PARTY NOTIFICATION• REPORT ILLEGAL ACTIVITY• SEEK ADVICE
Users or Help Desk Report Issue
Law Enforcement Public
Configuration Monitoring
• CREATE BASELINES
• IDENTIFY CONFIGURATION CHANGES
• MAINTAIN SYSTEMS
Vulnerability Assessment
• IDENTIFY RISK AND EXPOSURE
• SCAN SYSTEMS FOR KNOWN VULNERABILITIES
• IMPACT OF NEW VULNERABILITIES
Penetration Testing
• MODEL ATTACKER SCENARIOS
• EXPLOIT SYSTEMS
• RECONNAISSANCE, ORGANIZATIONAL INTELLIGENCE
• DECONFLICTION
Exercises
• TABLETOP SCENARIOS
• MODEL THREATS AND EVENTS
• TRAIN AND ASSESS STAFF
• DR/BCP
Command Center
Self AssessmentForensics
Outsourcing Pros
• Potential cost savings – building a SOC is expensive
• Fully trained and qualified staff
• Experience handling stressful situations
• Experience handling all types of security events effectively and efficiently
• Augments existing staff/fills gaps in hiring skills professionals
• Threat Intelligence – keeps you current on emerging threats
• Helps you leverage security intelligence across industries
• Industry information sharing
• Enables organizations to focus on core tasks
• Breaks down barriers in organizations where silos exist
• Enables 24x7x365 requirement
• Provides SLAs on how service will be provided
• Well-defined run book
Outsourcing Cons
• Unfamiliar with organization’s business drivers/industry
• Limited on depth of service and capabilities
• Optimizes its systems to scale and services a large volume of customers
• Large customer base, lacks intimate knowledge
• Lack of dedicated resources & support for your organization
• Focused on maximizing profits
• Lack of specialization, excels at providing standard security services vs. customized
• Minimal opportunities for correlation unless all data are sent to the MSSP
• Outsourced threat intelligence has a short lifespan
• No incentive to help improve your operations
• Limited ability to store data
Building a SOCWhat do you need to consider when utilizing a
Managed Security Service Provider (MSSP) vs. building a SOC in-house?
Getting C-Level Support to Ensure a High-Impact SOC Rollouthttp://www.sans.org/u/nnD
By John Pescatore
MSSP Onboarding ChecklistOrganizational Requirements
Defined ownership of security Good cultural fit Business partnership
Hiring Standards Background checks Credit checks Security clearance References Certifications
Adequately Staffed Staffing member ratios
Hiring Practices Drug tests Citizenship requirements
Suppliers, Partners, and Resellers Access to customer data Connection to network
Communication Tools Case management solution Information sharing portal Secure chat
Reports Metrics and dashboards Status delivery frequency MTTD, MTTR
Organizational Stability Years in business Financially stable SLAs and failover capability Exit strategy
Learn how to design, build, operate, and mature a Security Operations Center (SOC)
MGT517: Managing Security Operations: Detection, Response, and Intelligencewww.sans.org/MGT517
Business Units
Steering Committee
Management
Internal Systems
External Systems
ISOLATE AND CONTAIN ASSETS:• LOGICALLY• PHYSICALLY
OVERALL PROCESS
RETURN TO SERVICE
Incident response works with other SOC functions to:
• OBTAIN SUPPORT AND ANALYSIS
• PROVIDE STATUS AND REPORTING ERADICATE ISSUES